Privacy Certificate and Confidentiality Requirements of NIJ Funding

As you know, much of the research conducted by the National Institute of Justice (NIJ) involves collecting data on individuals through direct observation, interview or survey, case records, crime reports, and other administrative records. These activities raise a number of ethical and legal concerns about harm or embarrassment to individuals that must be addressed before the research may be conducted. NIJ and recipients of NIJ funding are subject to the statutory and regulatory confidentiality requirements of 42 USC §3789g and 28 CFR Part 22. Both 42 USC §3789g and 28 CFR Part 22 provide that research and statistical information identifiable to a private person is immune from legal process and may only used or revealed for research purposes.

The regulations at 28 CFR Part 22 require all applicants for NIJ funding to submit a Privacy Certificate as a condition of approval of a grant application or contract proposal that contains a research or statistical component under which personally identifiable information will be collected. The Privacy Certificate is the applicant's assurance that he/she understands his/her responsibilities to protect the confidentiality of research and statistical information and has developed specific procedures to ensure that this information is only used or revealed in accordance with the requirements of 42 USC §3789g and 28 CFR Part 22.

NIJ, as a matter of policy, requires that Privacy Certificates be submitted as part of all applications regardless of whether the project involves the collection of identifiable data. In cases where no personally identifiable information will be collected, the Privacy Certificate should contain a statement to this effect.

In order to assist you, we provide guidelines for preparing the Privacy Certificate and a sample format.

Privacy Certificate Guidelines

The following summarizes the requirements of 28 CFR §22.23 and should be used as a guide to completing the Privacy Certificate.

1. The Privacy Certificate must fully describe the following:
   • Procedures to ensure data confidentiality.
   • Procedures to ensure the physical and administrative security of data.
   • Procedures for subject notification or justification for waiver.
   • Procedures for final disposition of data.
     • The Privacy Certificate must also include the name and title of the person:
       • With primary responsibility for ensuring compliance with the regulations.
       • Authorized to approve transfers of data.
       • Authorized to determine final disposition procedures for the data collected and developed by the project.
     • The Privacy Certificate must contain assurances by the applicant that:
       1. Data identified to a specific individual will not be used or revealed unless it is research or statistical information that is being used for research and statistical purposes.
       2. Identified data will be used or revealed only on a need-to-know basis to:
          • Officers, employees, and subcontractors of the recipient of assistance;
          • Persons and organizations receiving transfers of information for research and statistical purposes only if an information transfer agreement is entered into in which the recipient is bound to use the information only for research and statistical purposes and to take adequate administrative and physical precautions to ensure the confidentiality of the information.
       3. Employees with access to data on a need-to-know basis will be advised in writing of the confidentiality requirements and must agree in writing to abide by these requirements.
       4. Subcontractors requiring access to identifiable data will only do so according to an information transfer agreement which states that the confidentiality of the data must be maintained and that the information may only be used for research or statistical purposes.
       5. Private persons from whom identifiable data are obtained or collected will be advised either orally or in writing that the data will only be used for research and statistical purposes and that compliance with requests for information is not mandatory. That is, participation in the research is voluntary and may be withdrawn at any time. If the notification requirement is to be waived, an explanation must be contained within the Privacy Certificate.
       6. Adequate precautions will be taken to ensure the administrative and physical security of the identifiable data.
       7. A log indicating that identifiable data have been transferred to persons other than those in NIJ or other OJP bureaus, created under the Omnibus Crime Control Act or its amendments, or to grantee, contractor, or subcontractor staff will be maintained and will indicate whether the data has been returned or if there is an alternative agreement for the future maintenance of such data.
       8. Project plans will be designed to preserve the anonymity of persons to whom the information relates, including where appropriate, name-stripping, coding of data, or other similar procedures.
       9. Project findings and reports prepared for dissemination will not contain information which can reasonably be expected to be identifiable to a private person.
       10. Upon completion of the project, the security of research or statistical information will be protected by either:
           • the complete physical destruction of all copies of the materials or the identified portions of the materials after a three year required recipient retention period or as soon as authorized by law; or
           • the removal of identifiers from the data and separate maintenance of a name-code index in a secure location.

           If you choose to keep a name-code index, you must maintain procedures to secure such an index.